Win32/Glenwiry.P follow-up

Just thought I'd post a little follow-up to my post from yesterday. I am still not completely comfortable saying I'm 100% certain that the Computer Associates quarantine of wextract.exe is a false positive, but based on everything I have read and know, it seems like a false positive is most likely. I'll probably leave those files quarantined until either CA issues a fix or my system suffers for not having it available.

I've seen some folks saying it likely ISN'T a false positive (how's that for a weird double negative) because ZoneAlarm has been noted as flagging these files too. Well, turns out that ZA uses the CA anti-virus engine. At least that's what CNET said last summer. If that is still true, I think it provides even more evidence that we are just looking at a bad definition in the CA tools. If I'm wrong about the ZA-CA connection, I hope someone lets me know.

What is really bothering me now is that CA released a fix for a presumable trojan before it was even known to exist in the wild. This is evidenced by the complete lack of any Google hits on Glenwiry.P before this antivirus definition update last night by CA. Even CA's own website doesn't have any information on the Glenwiry.P threat as of the time of this posting. If that's the case, how is it being caught by their antvirus tools? Perhaps they released the fix There has always been speculation and conspiracy theories that antivirus companies may actually create viruses/threats. An interesting business model, indeed. Though, it is a neat trick to catch a "threat" before anyone has ever heard of it, even yourself. But, hey, what the heck do I know? I'm just a once-in-a-while blogger.